[
https://issues.apache.org/jira/browse/WW-5340?focusedWorklogId=883579&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-883579
]
ASF GitHub Bot logged work on WW-5340:
--------------------------------------
Author: ASF GitHub Bot
Created on: 05/Oct/23 17:29
Start Date: 05/Oct/23 17:29
Worklog Time Spent: 10m
Work Description: kusalk commented on code in PR #760:
URL: https://github.com/apache/struts/pull/760#discussion_r1347763341
##########
core/src/main/java/org/apache/struts2/dispatcher/multipart/JakartaMultiPartRequest.java:
##########
@@ -142,26 +142,22 @@ protected void processNormalFormField(FileItem item,
String charset) throws Unsu
}
long size = item.getSize();
- if (size == 0) {
- values.add(StringUtils.EMPTY);
- } else if (size > maxStringLength) {
+ if (size > maxStringLength) {
+ LOG.debug("Form field {} of size {} bytes exceeds limit of
{}.", item.getFieldName(), size, maxStringLength);
Review Comment:
I think logging the field name at the debug level is fine in terms of
security?
Issue Time Tracking
-------------------
Worklog Id: (was: 883579)
Time Spent: 4h 50m (was: 4h 40m)
> Introduce optional AST node exclusion list
> ------------------------------------------
>
> Key: WW-5340
> URL: https://issues.apache.org/jira/browse/WW-5340
> Project: Struts 2
> Issue Type: Improvement
> Components: Core
> Reporter: Kusal Kithul-Godage
> Priority: Minor
> Fix For: 6.4.0
>
> Time Spent: 4h 50m
> Remaining Estimate: 0h
>
> Enhance security by implementing an optional exclusion list (in struts.xml)
> where applications can specify AST nodes that are not required in their
> applications or are known to carry higher security risk.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
